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Legal Notices 


Information in this document is provided in connection with Intel® products. No license, 
express or implied, by estoppels or otherwise, to any intellectual property rights is 
granted by this document. Except as provided in Intel’s Terms and Conditions of Sale 
for such products, Intel assumes no liability whatsoever, and Intel disclaims any express 
or implied warranty, relating to sale and/or use of Intel products including liability or 
warranties relating to fitness for a particular purpose, merchantability, or infringement 
of any patent, copyright or other intellectual property right. Intel products are not 
intended for use in medical, life saving, or life sustaining applications. 


Intel may make changes to specifications and product descriptions at any time, without 
notice. 


The API and software may contain design defects or errors Known as errata which may 
cause the product to deviate from published specifications. Current characterized errata 
are available on request. 


This document and the software described in it are furnished under license and may 
only be used or copied in accordance with the terms of the license. The information in 
this document is furnished for informational use only, is subject to change without 
notice, and should not be construed as a commitment by Intel Corporation. Intel 
Corporation assumes no responsibility or liability for any errors or inaccuracies that may 
appear in this document or any software that may be provided in association with this 
document. Except as permitted by such license, no part of this document may be 
reproduced, stored in a retrieval system, or transmitted in any form or by any means 
without the express written consent of Intel Corporation. 


Contact your local Intel sales office or your distributor to obtain the latest specifications 
and before placing your product order. 


Copyright © 2011 Intel Corporation. 


* Third party names and brands may be claimed as the property of others. 
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1. Introduction 


1.1 Document purpose and scope 
This document introduces the background and functions of the Intel® Education Theft 
Deterrent client version 4.x. The intended audiences of this document are the 
administrator and support personnel of the Theft Deterrent system. 


This document also provides instructions on how to unlock devices. However, the 
detailed unlocking procedure varies from institution to institution and therefore it is 
beyond the scope of this document. 


1.2 Terminology 


1.2.1 Abbreviations 


Thett Deterrent Serve 
Thelt Deterrent Client 





1.2.2 Definitions 


Note: The term device is used to refer to Intel@ Education Tablet and Intel® classmate PC. 


applies a package from the server successfully. 


Remaining Cycles The number of times that a device can reboot or restore from 
sleep or hibernate before it is locked. 


This is not applicable to Intel® Education Tablet. 


Provision Number | A 20-digit hexadecimal number generated from the Public Key 


(S/N) of the server. 


Unlock Code A 10-digit number generated by the server for unlocking a 
device. 


Offline Package A file named tcopp.bin for unlocking a device or updating the 
confidential information on a device. 
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1.3 Reference Document 


Theft Deterrent server User Manual 2013-02 





Theft Deterrent Deployment Guide 2013-02 


2. What is Theft Deterrent Client 


Intel® Education Theft Deterrent client (client) is the client component of the Intel® 
Education Theft Deterrent system, which is designed to deter theft of Intel® Education 
Tablet and Intel® classmate PC. 


2.1 Theft Deterrent Client Requirements 


The client is a pre-installed component on the device. The only requirement is to make 
sure that the client has a network connection to the Theft Deterrent server (server). 


For information about the system requirements of the device, see the Intel® Education 
Theft Deterrent Deployment Guide. 


2.2 How Theft Deterrent server Works 


In general, the client is pre-activated in factory by default. You can skip this section if 
your client is already activated. 


To ensure that your client is activated, you can check the client icon to make sure that 


| 


the client is not in Inactive —— status. 


lf your client has not been activated, follow these steps to activate your client with the 
server: 


1. Ensure that the client is connected with the server. An activation request will 
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be sent to the server automatically. 


2. After the server approves your activation request, a reboot dialog will pop up 
on your device. The dialog contains a countdown timer that starts from 60 
seconds and the system will automatically reboot after 60 seconds. 


Reboot 


System will restart to update the security files. Please 
Ciasetme alll ener P tw sf ‘ tue 7. at ihe = Din so 3 
yy Stern will restart to update the security files. Please save all your work in progress. 


Save all YOur WOrK I progress 


Teme remaining: 58 seconds 


Timé remaining: 54 seconds 





Restart Now 











Intel® Education Tablet Intel® classmate PC 


FIGURE 1 — Reboot Dialog 


During the activation process, the server sets the Expiration Date and the Remaining 
Cycles for the client to enable the Theft Deterrent mechanism. Once the client is 
activated, it can operate automatically without user interaction. It can be verified by the 


status Icon Lo 


2.3 How Theft Deterrent Client Works 


After a client is activated, the server sets the Expiration Date and the Remaining 
Cycles for the client. By default, the Expiration Date is 90 days from the current date 
and the Remaining Cycles is 300. The server admin can configure the default values 
according to his/her needs. 


When either of the following cases occurs, the device is locked after it reboots or 
restores from sleep or hibernate: 


e The Expiration Date has passed. 
e The Remaining Cycles decreases to 0. 


When either of the values is about to expire, the server resets them to the default values 
automatically. Therefore, you must ensure the device is connected with the server to 
avoid device lock. 


Note: The Remaining Cycles is not applicable to Intel® Education Tablet. 
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3. Functions of the Theft Deterrent Client 


In general, once the client is set up correctly as shown in First Time Setup and 
Activation, minimal manual changes are needed. 


3.1 View and Verify Theft Deterrent Client Status 


To view or verify the status and settings of the client, click the Theft Deterrent client 


wy 
application icon on the desktop to open the client. 


‘inte Theft Deterrent cllerit 
—— 


nig «Thett Oeterrent chant 
poo 





Intel® Education Tablet Intel® classmate PC 


FIGURE 2 — Theft Deterrent client 


On the Device Information page, check the status icon in the client status table. If you 
see an error message, see the error message table. 


The following information is displayed on the Device Information page: 


Device Status 


Device Status The status of the client 


Boot Tick A hexadecimal number that increases by 1 after the client applies a 


package from the server successfully. 


Expiration Date | The date from which the device will be locked 


Remaining The number of times that you can reboot the device or restore the device 
Cycles from sleep or hibernate until it is locked. This is not applicable to Intel® 
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ee Education Tablet. 


System Information 


Hardware ID A 12-character string that is unique for each device. 


The computer name of the device. 


The name of the school or region that this device belongs to in the 
server. 





Note: On Android, the client icon is displayed in the system notification area when the client is About 
to Expire, is downloading upgrade package, or has failed to upgrade. You can tap the tray icon to 
view detailed notifications and tap the notifications to perform the required actions. 


3.2 Configure Connection Settings 


In general, the connection settings in the client are pre-configured in factory by default. 
You can skip this section if the settings are pre-configured. 


Otherwise, you can configure the connection settings manually to ensure that the client 
is communicating with the server. Follow these steps: 


1. Select the Settings tab, click the Edit button. 


2. If yousee a popup window, input the client password and then click OK. Please contact 
the designated support personnel if you do not have the password. 


3. Input the IP address or the URL of the server in the Server Address/URL field and 
then click Save. 


4. If you need to configure proxy to access the server, click the Set up Proxy link and 
select a setting option of your choice: 


a. If the proxy server address has been configured in the operating system, select 
Use system proxy settings. Otherwise, select Manual proxy configuration and 
input the server address and port number. 

60. Input the username and password of the proxy server if proxy authentication is 
required and then click OK. 


5. Click the Test button to test the connection. 


a. Ifyou see the message “Connection is successful!”, the client will connect with the 
server after a while. No further action is required. 
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0. If you see the message “Connection failed” or “Connection failed because of 
invalid proxy”, check the server address and proxy settings and make sure that 
you are connected to the correct network. Then test the connection again. 


wa " ri ) Theft Deterrent cllent 
inte) Theft Deterrent client intel 





Intel® Education Tablet Intel® classmate PC 


FIGURE 3 — Connection Settings 


3.3 Change Display Language 


You can configure the client to display one of the following languages: 


— | Intel® Education | On Intel® classmate PC 
Tablet 


English (United States) 


Espanol (Latinoamérica) 


Portugués (Brasil) 


Turkce 
Frangais (France) 
dss yall 





3.3.1 Change Language on Intel® Education Tablet 


On Intel® Education Tablet, the client displays the Android system language. To 
change the display language of the client, follow these steps: 


1. Open Settings in Android desktop. 


2. Select Language & input from the left menu and then click Language. 
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3. Select the language of your choice and the display language of the client is changed 
accordingly. 


Norsk bolona 


Portugues (Gras) 


Portugues (Portugal) 


Purmantsch 





FIGURE 4 — Change Display Language (Intel® Education Tablet) 


Note: Only the following languages are supported in the current client version. If you select a system 
language other than these, the client is displayed in English. 

Engiish (United States) 

Espafiol (Estados Unidos) 


Portugués (Brasil) 





3.3.2 Change Language on Intel® classmate PC 


To change the display language of the client on Intel® classmate PC, select the 
language of your choice and then click Apply on the Settings page. 
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(inte Theft Deterrent cllent 
~~ 


Server Adoress / URL: 
Server Name 


Set up Pros. 





FIGURE 5 — Change Display Language (Intel® Classmate PC) 


3.4 Log in Theft Deterrent server to Generate Unlock Code 


You can set up your student account on the server. In case when your device is locked, 
you can generate the unlock code by yourself. 


3.4.1 Set up Student Account 


To set up your student account, follow these steps: 


Open the server webpage for student. 


e Windows: Right-click the client tray icon and click Log in Theft Deterrent 
server from the tray menu. 


Open Theft Deterrent client 
Help 


About 








Log in Theft Deterrent server = 


bens 


e Debian: Click the client tray icon and click Log in Theft Deterrent server from 
the tray menu. 
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e Android: Open the client and click the =, icon on the upper-right corner and 
then select Log in server. 


On the server webpage for student, set up your account by inputting your name, 
password and email. 


Note: The password must be 6 to 12 characters in length. 


3.4.2 Generate Unlock Code by Student 


In case when your device is locked, you can borrow a device to generate the unlock 
code for your device. Follow these steps: 


Open the server webpage for student. 
Log in with the Hardware ID displayed on the lock screen and your account password. 
On the home page, click Generate Unlock Code. 


Input the Boot Tick displayed on the lock screen and then click Generate to generate 
the unlock code. 


Note: By default, you can only generate unlock code for 3 times within 30 days. The server admin 


can configure this default value according to his/her needs. 


4. Unlock a Device 


A device can be locked or unlocked based on a set of policy defined by the server 
admin. The most common reasons a device is locked are as follows: 


e The device is locked automatically when the Expiration Date passes the 
current date or the Remaining Cycles decreases to 0. 
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e The device is locked manually by the server admin when, for example, this 
device is reported stolen. 


This section introduces the steps to unlock devices. The unlocking procedures for 
Intel® Education Tablet and Intel® classmate PC are different. 


e How to Unlock Intel® Education Tablet 
e How to Unlock Intel® classmate PC 


Note: If unlocking failed, the device might reboot automatically after the unlocking process but returns 
to the lock screen. For more information, see Resolve Unlocking Errors. 


4.1 How to Unlock Intel® Education Tablet 


If you see a lock screen as shown in Erro! A origem da referéncia nao foi 
encontrada., unlock the device with one of the following methods: 


e Unlock with Unlock Code 
e Unlock through Network 
e Unlock with Removable Devices 


Note: You must unlock the device with removable devices if the server is not available. 


For security reasons, the system shuts down automatically 20 minutes after the lock 
screen is displayed. Hardware buttons such as the power and volume buttons are not 
supported when the device displays the lock screen. 


ikES — inspiring knowledge Education Software — Theft Deterrent Client 14 


intel’ Education Theft Deterrent 


fy 


The system will shut down in 00;19:07 


ov 


bv 2] 


\~ 


‘ 


> 





FIGURE 6 — Intel® Education Tablet Lock Screen 





To change the display language, click the ey 
and then select a language of your choice. 


button at the bottom-left side of the page 


4.1.1 Unlock with Unlock Code 


To unlock the device with the unlock code, follow these steps: 


Provide the designated support personnel the Hardware ID and the Boot Tick shown 
on the lock screen to request an unlock code. 


On the lock screen, click Unlock with Unlock Code. 


Input the unlock code and then click Unlock to unlock the device. 


4.1.2 Unlock through Network 


To unlock the device through the network, ensure that the required network is available 
and follow these steps: 


Click Unlock through Network. 


Input the server address, leave the default network type and then select your network. 
Input the password of the network if required. 
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FIGURE 7 — Unlock through Network 


If you need to set up the proxy server, click the Set up proxy server link. 


The ) icon is shown next to the Available networks field when the network 
connection between the device and the server is established. Click the Unlock button 
to unlock the device. 





4.1.3 Unlock with Removable Devices 


To unlock the device with a removable device such as a USB drive or a SD card, make 
sure the device to be unlocked has the corresponding physical interface and follow 
these steps: 


Provide the designated support personnel the Hardware ID, Boot Tick, and the 
Provision Number shown on the lock screen to request an offline package. 


Copy the offline package to a removable device. 


Insert the removable device to the locked device and then click Unlock with 
Removable Devices to unlock the device. 


Note: Do not rename the offline package. 
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4.2 How to Unlock Intel® classmate PC 


If you see a lock screen as shown in Erro! A origem da referéncia nao foi 
encontrada., unlock the device with one of the following methods: 


e Unlock with Unlock Code 
e Unlock with USB 


Note: You must unlock the device with USB if the server is not available. 


Swru. The Ts emiter boot certificate hae expired and the machine io mw 
inched. Please contect your computer administrator to obtain an anlock 
wt ae ee 

ee 9C -87-00-17- its 
teot Tick oo 00 2h 
o/h 07 -OC -01 -03 -05 -Of -08 -07 -07 -ON -06 -0D -05 -07 -OF -07 -09 -0D -03-0F 


fre you ready to enter the unlock codeT 
(frees Y for Yea. or N for Mo. Syetes will ahut down if you type N.) 





FIGURE 8 — Intel® Classmate PC Lock Screen 


4.2.1 Unlock with Unlock Code 


To unlock the device with the unlock code, follow these steps: 


1. Provide the designated support personnel the Hardware ID and the Boot Tick shown 
on the lock screen to request an unlock code. 


2. On the lock screen, type Y. 


3. Input the unlock code and then press ENTER to unlock the device. 


4.2.2 Unlock with USB 


To unlock the device with a USB drive, follow these steps: 
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1. Provide the designated support personnel the Hardware ID and the Provision 
Number (S/N) shown on the lock screen to request an offline package. 


2. Copy the offline package to a USB drive. 
3. Insert the USB drive to the device and then press CTRL+INSERT to unlock the device. 


Note: Do not rename the offline package. 


4.3 Additional Steps 


Right after a device is unlocked, the client is set with a Remaining Cycles or Expiration 
Date that would expire soon: 


e Intel® Education Tablet: expires after 10 Remaining Cycles. 
e Intel® classmate PC: expires after 10 days. 


Therefore, you must connect the device with the server to renew the values of the 
Remaining Cycles and the Expiration Date to avoid device lock again. 


5. Troubleshooting Tips 


5.1 Theft Deterrent Client Status 


Device Status Tray Description 
Icon 

Normal P The client is working | No action is required. 
Lo correctly. 


Permanent P| The client is working | No action is required. 
ig) correctly. lts Expiration 
Date and Remaining 
Cycles are set to a value 
that will never expire. 


About to Expire | | The device will be locked in | Make sure that the client is 
a few days or after a few | connected with the server so 
boots, sleep, or | that the Expiration Date 
hibernation. and Remaining Cycles will 

be renewed automatically. 
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Downloading The client is downloading | Make sure that the client is 

upgrade package | ) | an upgrade package. connected with the server 
and do not restart the 
sysiem. 


Upgrading Theft | | The client upgrade is in | In Windows, no action is 

Deterrent client | ) | progress. required. In Android, 
confirm to install the 
upgrade package. 


The client has error. Check error messages and 
error codes. 


Inactive ; | The client has not been | Connect the client with the 
q / | activated and thus is not | server and then contact the 
protected by the Theft | server admin to activate the 

Deterrent mechanism. client. 


5.2 Error Message 





lf an error message Is displayed on the client, follow these solutions: 


[Message | Soliton 
Cannot connect with the server | Connect the client with the server. 


Waiting for server approval... Wait for the server to approve the client and reboot the 
device when you see the popup dialog requesting 
system reboot. 


Rejected by the server Make sure that the client is connected with the correct 
server. 


Connected with the wrong | Make sure that the client is connected with the correct 
server server. 


The server is busy. Please wait... | Wait a while and check the status again. 


The server is under | Wait a while and check the status again. 

maintenance 

Boot Tick inconsistent Contact the designated support personnel to reset the 
Boot Tick value. 

Certificate download limit | Contact the designated support personnel to reset the 

exceeded download limit. 


Make sure that the network connection between the 
Download/ Upgrade Failed server and the client is successfully. Wait a while and 
check the status again. 


Server error The server has error. 
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Check the device error codes. 
No Secure Storage Theft Deterrent is not supported in this device. 


5.3 Error Code 


lf you see an error code on the client or on the Intel® Education Tablet lock screen, 
check the error codes in the following table: 


Client Error | Unlock Screen | Description 
Code Error Code 


The TPM is disabled. 

oars 
The TPM is deactivated. 
wow 


0X02010004 0X01010004 Error occurred during TPM initialization in the 
0X02010005 0xX01010005 manutactory line. The possible reasons include the 
following: 
pias Bauer 1. The TPM does not have an Endorsement Key 
0X0201000C 0X0101000C pre-installed. 
0X0201000E 0X0101000E 2. The TPM NV partition or NV index creation 
failed. 


0X0201000F 0X0101000F 
3. The TPM status Is incorrect. 


OX0201FFFF 0X0101FFFF Internal error accessing the TPM. 


The following error codes describe the detailed reasons of unlocking failure during 
Unlock through Network: 


Unlock Description 
Screen Error 
Code 


0x01040002 Cannot connect with the server. 





0x01040040 The server address is invalid because it is shorter than 4 characters. 


Cannot connect with the server because the proxy username or password 
0x01040080 | is invalid. 


0x04020003 | Server is busy. Please try again later. 
0x04020004 | Server is under maintenance. Please try again later. 
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0x04070001 Cannot unlock this device because It is not managed by the server yet 


Cannot unlock this device because it is still waiting for the server's 
0x04070002 | approval. 


0x04070003 | Cannot unlock this device because it has been rejected by the server. 


Connected to the wrong server. (The Root Public Key in the server is not 
0x04070005 | the same as that in the device) 


Connected to the wrong server. (The server Public Key is not the same as 
0x04070006_ | that in the device) 


Failed to unlock the device because the Boot Tick in the client Is 
0x04070007 inconsistent with that in the server. 

Failed to unlock the device because the certificate download limit exceeded 
0x04070008 the threshold in the server. 





5.4 Resolve Unlocking Errors 


lf your device reboots and returns to the lock screen after you unlock the device with 
an unlock code, make sure that you input the correct unlock code. If the problem 
remains, see Resolve Unlock Code Problems. 


lf your device reboots and returns to the lock screen after you unlock the device with a 
removable device, make sure that you use the correct offline package. 


If you failed to unlock the device through the network, make sure that the device is 
connected with the server correctly. If you see an error code on the lock screen of 
Intel® Education Tablet, check the error codes for unlocking through network. 


5.5 Resolve Unlock Code Problems 


lf you cannot unlock the device with the unlock code, this might be because the 
confidential information in the server is not the same as that in the client. Therefore, it 
is recommended that you update the confidential information with a removable device 
by following the unlock steps for your Intel® Education Tablet or Intel® classmate PC. 


The device is still locked after you update the confidential information. You can now 
unlock the device with an unlock code. 
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2: 


6. FAQ 


1. 


What is the removable device format supported for unlocking? 


Answer: The FAT file system. 


What is the network protocol supported for device unlocking through network? 


Answer: The wireless encryption standards supported are as follows: 


e WPA 

e WPA2 

e WEP (Hex Security Key only) 
e NONE 


Why doesn’t the Theft Deterrent client start up? 


Answer: The client should be loaded automatically at system start-up. If your client is 
not running properly, reboot the device to start the client automatically. 


Also, if the client runs on Windows, you can check the following services from the Start 
menu -> Computer Management -> Services and Applications. 


e Theft Deterrent agent service 
e Theft Deterrent guardian service 


lf either of the services is stopped, start it manually. If the problem remains, it is 
recommended that you re-install the client and guardian. 


Can | uninstall the Theft Deterrent client? If so, what will happen after uninstall? 


Answer: As amanagement program, the Theft Deterrent client should be kept running 
at all times. However, you can still uninstall the client but a protection application named 
Theft Deterrent guardian must be uninstalled before uninstalling the client. 
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To uninstall the guardian and the client, follow these steps: 


e Windows: use Add or Remove Programs in the Control Panel. The client 
protection password might be required. 
e Android: use Manage applications in Settings. 


Will the About to Expire status affect the device functions? 


Answer: No. The About to Expire status only informs the user to ensure that the client 
is connected with the server so that the server can update this status automatically. 


Can the useable time be extended by modifying the device’s system time/date? 


Answer: For Intel® Education Tablet, changing the system time will not affect the 
useable time of the device. 


For Intel® classmate PC, changing the system time can extend the usable time of the 
device. However, this will not impact the Remaining Cycles and the device will 
eventually be locked after the Remaining Cycles decreases to 0. 


Why can’t the Theft Deterrent client connect with the server? 


Answer: If you cannot establish a connection between the client and the server, make 
sure that the following settings are configured: 


e The network settings are properly set up. 
e The antivirus software and the firewall on your device allow the following ports: 
5000, 7911, 8911, 9911. 


8. Why can’t! enter the login page when | open the server webpage for student? 


Answer: The login page is displayed only after the device owner completes the student 
account settings. Therefore, to generate an unlock code with a device borrowed from 
your classmate, ask your classmate to complete his or her account settings and then 
you can log in the server with your own Hardware ID and password. 
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